PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
Public Types | Public Member Functions | Protected Member Functions | Protected Attributes | List of all members
pesieve::PatchAnalyzer Class Reference

A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to. More...

#include <patch_analyzer.h>

Public Types

enum  t_hook_opcode {
  OP_SHORTJMP = 0xEB , OP_JMP = 0xE9 , OP_CALL_DWORD = 0xE8 , OP_PUSH_DWORD = 0x68 ,
  OP_JMP_VIA_ADDR_B1 = 0xFF , OP_JMP_VIA_ADDR_B2 = 0x25
}
 

Public Member Functions

 PatchAnalyzer (ModuleData &_moduleData, DWORD _sectionRVA, PBYTE patched_code, size_t code_size)
 
size_t analyze (PatchList::Patch &patch)
 

Protected Member Functions

size_t _analyze (PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
 
size_t _analyzeRelocated (PatchList::Patch &patch, BYTE *patch_ptr)
 
size_t parseJmpViaAddr (PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
 
size_t parseShortJmp (PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
 
size_t parseJmp (PatchList::Patch &patch, PBYTE patch_ptr, ULONGLONG patch_va)
 
size_t parseMovJmp (PatchList::Patch &patch, PBYTE patch_ptr, bool is_long)
 
size_t parsePushRet (PatchList::Patch &patch, PBYTE patch_ptr)
 
template<typename DELTA_T >
ULONGLONG getJmpDestAddr (ULONGLONG currVA, int instrLen, DELTA_T lVal)
 
bool is64Modifier (BYTE op)
 
bool isLongModifier (BYTE op)
 

Protected Attributes

bool isModule64bit
 
ModuleDatamoduleData
 
DWORD sectionRVA
 
PBYTE patchedCode
 
size_t codeSize
 
std::set< DWORD > relocs
 

Detailed Description

A postprocessor of the detected code patches. Detects if the patch is a hook, and if so, tries to indentify the address where it leads to.

Definition at line 9 of file patch_analyzer.h.

Member Enumeration Documentation

◆ t_hook_opcode

enum pesieve::PatchAnalyzer::t_hook_opcode
Enumerator
OP_SHORTJMP 
OP_JMP 
OP_CALL_DWORD 
OP_PUSH_DWORD 
OP_JMP_VIA_ADDR_B1 
OP_JMP_VIA_ADDR_B2 

Definition at line 12 of file patch_analyzer.h.

Constructor & Destructor Documentation

◆ PatchAnalyzer()

pesieve::PatchAnalyzer::PatchAnalyzer ( ModuleData & _moduleData,
DWORD _sectionRVA,
PBYTE patched_code,
size_t code_size )
inline

Definition at line 21 of file patch_analyzer.h.

Here is the call graph for this function:

Member Function Documentation

◆ _analyze()

size_t pesieve::PatchAnalyzer::_analyze ( PatchList::Patch & patch,
PBYTE patch_ptr,
ULONGLONG patch_va )
protected

Definition at line 150 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ _analyzeRelocated()

size_t pesieve::PatchAnalyzer::_analyzeRelocated ( PatchList::Patch & patch,
BYTE * patch_ptr )
protected

Definition at line 180 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ analyze()

size_t pesieve::PatchAnalyzer::analyze ( PatchList::Patch & patch)

Definition at line 195 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ getJmpDestAddr()

template<typename DELTA_T >
ULONGLONG pesieve::PatchAnalyzer::getJmpDestAddr ( ULONGLONG currVA,
int instrLen,
DELTA_T lVal )
protected

Definition at line 6 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ is64Modifier()

bool pesieve::PatchAnalyzer::is64Modifier ( BYTE op)
protected

Definition at line 132 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ isLongModifier()

bool pesieve::PatchAnalyzer::isLongModifier ( BYTE op)
protected

Definition at line 141 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ parseJmp()

size_t pesieve::PatchAnalyzer::parseJmp ( PatchList::Patch & patch,
PBYTE patch_ptr,
ULONGLONG patch_va )
protected

Definition at line 26 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ parseJmpViaAddr()

size_t pesieve::PatchAnalyzer::parseJmpViaAddr ( PatchList::Patch & patch,
PBYTE patch_ptr,
ULONGLONG patch_va )
protected

Definition at line 39 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ parseMovJmp()

size_t pesieve::PatchAnalyzer::parseMovJmp ( PatchList::Patch & patch,
PBYTE patch_ptr,
bool is_long )
protected

Definition at line 55 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ parsePushRet()

size_t pesieve::PatchAnalyzer::parsePushRet ( PatchList::Patch & patch,
PBYTE patch_ptr )
protected

Definition at line 116 of file patch_analyzer.cpp.

Here is the call graph for this function:

◆ parseShortJmp()

size_t pesieve::PatchAnalyzer::parseShortJmp ( PatchList::Patch & patch,
PBYTE patch_ptr,
ULONGLONG patch_va )
protected

Definition at line 13 of file patch_analyzer.cpp.

Here is the call graph for this function:

Member Data Documentation

◆ codeSize

size_t pesieve::PatchAnalyzer::codeSize
protected

Definition at line 51 of file patch_analyzer.h.

◆ isModule64bit

bool pesieve::PatchAnalyzer::isModule64bit
protected

Definition at line 46 of file patch_analyzer.h.

◆ moduleData

ModuleData& pesieve::PatchAnalyzer::moduleData
protected

Definition at line 48 of file patch_analyzer.h.

◆ patchedCode

PBYTE pesieve::PatchAnalyzer::patchedCode
protected

Definition at line 50 of file patch_analyzer.h.

◆ relocs

std::set<DWORD> pesieve::PatchAnalyzer::relocs
protected

Definition at line 53 of file patch_analyzer.h.

◆ sectionRVA

DWORD pesieve::PatchAnalyzer::sectionRVA
protected

Definition at line 49 of file patch_analyzer.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0